Fix Open Redirect meta refresh regex for when url= is not quoted (c…

…loses #74).
ronin-rb · May 25, 2024 · 7fa453a · 7fa453a
1 parent 609d802
commit 7fa453a
Show file tree

Hide file tree

Showing 2 changed files with 66 additions and 3 deletions.
diff --git a/lib/ronin/vulns/open_redirect.rb b/lib/ronin/vulns/open_redirect.rb
@@ -95,9 +95,9 @@ def vulnerable?
                 http-equiv\s*=\s*(?: "refresh" | 'refresh' | refresh )\s+
                 content\s*=\s*
                 (?:
-                 "\s*\d+\s*;\s*url\s*=\s*'\s*#{escaped_test_url}\s*'\s*"|
-                 '\s*\d+\s*;\s*url\s*=\s*"\s*#{escaped_test_url}\s*"\s*'|
-                 \s*\d+;url=(?: "#{escaped_test_url}" | '#{escaped_test_url}' )
+                 "\s*\d+\s*;\s*url\s*=\s*(?: '\s*#{escaped_test_url}\s*' | #{escaped_test_url} )\s*"|
+                 '\s*\d+\s*;\s*url\s*=\s*(?: "\s*#{escaped_test_url}\s*" | #{escaped_test_url} )\s*'|
+                 \s*\d+;url=(?: "#{escaped_test_url}" | '#{escaped_test_url}' | #{escaped_test_url} )
                 )\s*
                 (?:/\s*)?>
             }xi

diff --git a/spec/open_redirect_spec.rb b/spec/open_redirect_spec.rb
@@ -437,6 +437,27 @@
                 expect(subject.vulnerable?).to be_truthy
               end
             end
+
+            context "and the url value is not quoted" do
+              let(:response_body) do
+                <<~HTML
+                  <html>
+                    <head>
+                      <meta http-equiv="refresh" content='0;url=#{subject.test_url}'/>
+                    </head>
+                    <body>
+                      <p>example content</p>
+                      <p>included content</p>
+                      <p>more content</p>
+                    </body>
+                  </html>
+                HTML
+              end
+
+              it "must return true" do
+                expect(subject.vulnerable?).to be_truthy
+              end
+            end
           end
 
           context "when the content attribute is double quoted" do
@@ -460,6 +481,27 @@
                 expect(subject.vulnerable?).to be_truthy
               end
             end
+
+            context "and the url value is not quoted" do
+              let(:response_body) do
+                <<~HTML
+                  <html>
+                    <head>
+                      <meta http-equiv="refresh" content="0;url=#{subject.test_url}"/>
+                    </head>
+                    <body>
+                      <p>example content</p>
+                      <p>included content</p>
+                      <p>more content</p>
+                    </body>
+                  </html>
+                HTML
+              end
+
+              it "must return true" do
+                expect(subject.vulnerable?).to be_truthy
+              end
+            end
           end
 
           context "when the content attribute is not quoted" do
@@ -504,6 +546,27 @@
                 expect(subject.vulnerable?).to be_truthy
               end
             end
+
+            context "and the url value is not quoted" do
+              let(:response_body) do
+                <<~HTML
+                  <html>
+                    <head>
+                      <meta http-equiv="refresh" content=0;url=#{subject.test_url}/>
+                    </head>
+                    <body>
+                      <p>example content</p>
+                      <p>included content</p>
+                      <p>more content</p>
+                    </body>
+                  </html>
+                HTML
+              end
+
+              it "must return true" do
+                expect(subject.vulnerable?).to be_truthy
+              end
+            end
           end
 
           context "when there is a space after the content attribute name" do